On Mar 16, 7:13 pm, Mladen Gogala <n..._at_email.here.invalid> wrote:
> On Wed, 16 Mar 2011 11:12:30 -0700, byrocat wrote:> > Our database security standard specifies the privileges that are> > supposed to be in place (750 or less on all files and subdirectories> > under $ORACLE_HOME except for $ORACLE_HOME/bin and sub-directories and> > files which has 755 or less).>> > Turns out that no one installed a new copy or Oracle until just recently> > and then found that the tools installed (SQLPlus) don't work).>> > I've found an ISACA book called "Oracle Database Security, Audit and> > Control Features" which recommended that the world-read privilege be> > revoked for everything under $ORACLE_HOME). Char 7.2 lays out the files> > and directories and the specific privileges for each. This chart is used> > in a lot of documents, here's one:> >http://www.isacanashville.org/files/presentations/Oracle-Database-> Security-Update.pdf> > Slide 25 is the one with the cahrt.>> > Has anyone followed this recommendation and what has happened to your> > server and databases?>> Those recommendations are pretty much default. There is nothing unusual> there. Some recommendations are just plain silly, for instance the> recommendation for $ORACLE_HOME/rdbms/log. As of the version 10g, the> only real thing happening there is expdp/impdp. The DBA that would allow> users to start export into the $ORACLE_HOME directory tree would deserve> to be executed in public by being forced to watch movies with Nicholas> Cage or the "Twilight Saga".>> --http://mgogala.byethost5.com

Most of those security sites recommend things that just do not make
any sense. (mostly they recommend Security through obscurity). Like
using a non-default port for the listener. Why? a descent portscanner
will find it in about a millisecond anyway. Take care of your
security within your databases. Use strong passwords Remember,
however, that prior to 11gR2, passwords were not case-sensitive. You
could enter them case-sensitive but, it really didn't use it casesensitive.
This will freak out most security folks.

IMO, Things like expdp/impdp should be left to the DBA staff. There
are too many ways a user could really mess things up with this
access. Don't give users login access to the database servers.
Ensure the application(s) handle the things necessary to maintain
security. If necessary use OLS (Oracle Label Services) to keep people
from seeing too much. etc, etc, etc...